Earlier this year, EA (Electronic Arts), one of the world’s largest games companies, reported a cyberattack and the theft of some 780 GB of source code for games such as FIFA 21 and the proprietary game engine. Frostbite used for many other profile games such as Battlefield. The threat actors responsible for the EA data breach put the stolen data up for sale on an underground hacking forum for $ 28 million, promising potential buyers that they would have “full capacity to operate all EA services. “.
Unfortunately for the hackers, on this occasion they failed to find buyers or extort money directly from EA, so they simply threw their loot on an underground forum. In a statement, EA said there was no evidence to suggest a player’s privacy was at risk and that he was working with law enforcement officials in connection with a criminal investigation. In progress.
But EA is not the only victim of the game and unfortunately more will follow. Hackers recently stole the source code of CD Projekt Red for Cyberpunk 2077 and The Witcher 3 and in July 2020 Nintendo’s source code for games such as Super Mario Kart and an unreleased Zelda game was released to the wild. In addition to short-term financial motivation, being able to see the inner workings of a game or engine could help hackers create cheats or cracks. The reputational repercussions of this situation among players, investors and third parties could affect confidence and revenues in the long term.
Source code is a big deal in software companies, whether for popular computer games or commercial applications. It is the heart of their intellectual property and losing control of it puts their businesses and customers at risk. In the recent SolarWinds attack, hackers managed to insert malicious code into the company’s Orion software used by thousands of organizations and governments around the world for network and infrastructure monitoring. The malicious code was inadvertently distributed by SolarWinds to its customers as an update or patch.
In an interview with the Motherboard news website, a representative of the criminal group behind the EA attack said he purchased stolen authentication cookies for an internal EA Slack channel from a dark web market called Genesis, for $ 10. They then used the cookies to mimic an EA employee and gain access to the company’s Slack channel before tricking an IT support employee into giving them access to the company’s internal code repositories.
Israeli cybersecurity firm Cyberpion said it contacted EA late last year to inform them of vulnerabilities that were leaving several domains and other assets royalty-free.
One of the problems is that large-scale software development is a complex process that involves multiple sites, teams, and tools. The primary tools for software developers are Integrated Development Environments (IDEs) such as NetBeans, which help them write properly designed and formatted code. Popular collaboration tools, like GitHub, also help development teams work together, collaborate, reuse useful code segments, and manage the entire process.
Often the code itself is stored on cloud servers, but the actual coding process – like most things – takes place on the user’s endpoint machine – which can increasingly be done at the home. House.
This distributed and collaborative environment presents a considerable attack surface to protect against multiple attack vectors such as phishing and social engineering, compromised user accounts or website downloads. Then there are infrastructure vulnerabilities such as unpatched servers or insecure FTP servers. And not to mention the disgruntled or financially motivated employee who can steal code directly.
It’s time to focus on the data
Traditionally, we’ve tried to protect data – or source code in this case – with multiple layers of security to prevent hackers or rogue insiders from gaining access. But the endless stream of headlines about EA’s successful cyberattacks on SolarWinds proves it isn’t working. So, if we can’t stop cybercriminals from entering or trust the people around us, we need to rethink traditional ‘castle and moat’ protection methods and take a data-centric approach, where security is built-in. data itself, including the valuable source code.
Technologies like full disk encryption will protect data while it is at rest on a sleeping hard drive or USB flash drive, which is ideal if a software developer loses a laptop computer but is absolutely no help. utility to protect data from unauthorized access or theft from a running computer. development system. So data needs to be protected not only at rest, but also in transit, when copied and used, on-premises or in the cloud.
The problem is that this level of encryption has been seen as complex and expensive and detrimental to performance and productivity, so only used to encrypt only “most important” or “sensitive” data. But deciding what’s important and sensitive and finding out where it’s stored isn’t an easy task.
In a recent Ponemon report, 67% of respondents say finding out where sensitive data resides in the organization is the number one challenge in planning and executing a data encryption strategy. The report also found that 31% cited classifying the data to be encrypted as difficult.
By weighing the scale too much towards automation, sensitive information is misclassified. And giving the user too much choice also results in misclassified data. After all, people tend to do what’s easiest and not necessarily what’s safest.
But with technological advancements and fast processing speeds, transparent data encryption can now be used to protect all data – structured and unstructured. In this way, classification for data security purposes becomes unnecessary and stolen information remains protected and unnecessary for cyber criminals.
In the case of EA or CD Projekt, hackers would have been disappointed when they realized that the data they had stolen was already encrypted and useless to them. No data, no ransom.